BitLocker Compliant or Practical? Mixed Message by Microsoft

On one hand, Microsoft says that BitLocker with pre-boot authentication (TPM + PIN) is the recommended best practice (See Here). On the other, Microsoft admits that BitLocker with their pre-boot authentication “inconveniences users and increases IT management costs.” A mixed message for any IT pro responsible for keeping devices compliant and secure.

Read on to discover the compliance shortfalls of BitLocker and how to address them.

The Rise of Windows 10.

Just three short years ago – on July 29, 2015 – Windows 10 burst onto the scene with businesses adopting it faster than ever before. Today, focus lies on the threat landscape, as regulatory pressure for data privacy and security increases. You’ve got new regulations coming from the EU (e.g. GDPR), while current standards – such as HIPAA, PCI DSS and FISMA – are constantly evolving and consistently reference encryption as an effective control to help achieve compliance.

Microsoft’s answer to this building pressure is to use what is already in their toolbox, namely BitLocker and MBAM (Microsoft BitLocker Administration and Monitoring). However, that is not enough to be either compliant or secure.

Start With BitLocker

Let’s be honest, the main reason anyone looks to deploy encryption is for compliance, and BitLocker is a starting point. It offers fast, OS built-in encryption to mitigate unauthorized data access on lost or stolen devices. But does Microsoft BitLocker alone offer good enough protection? Simply put, no. In fact, a large financial customer of ours recently put BitLocker to the test, concluding it could not meet their security needs, even with MBAM.

Here were their findings:

Compliance Gaps

FIPS 140-2 / PCI DSS

Federal Information Processing Standards (FIPS) Publication 140-2 is the U.S. government standard for approved cryptographic modules. It’s the first box any business looks to check when looking at encryption. Full disk encryption protects data on your drive, but it’s only effective when the encryption key is protected with strong authentication. BitLocker offers multiple options for authentication, yet it is not FIPS 140-2 compliant in TPM + PIN or TPM + Network Unlock mode (See Here). But the alternative – using TPM protection only, without user authentication – conflicts with PCI DSS requirements, since logical access must be separate from the native OS and access control mechanisms (See Here).

One of the simplest methods to improve security is with password policies. But to be effective, passwords need to be strong and updated periodically. BitLocker – with or without MBAM – cannot enforce PIN complexity, only PIN length. Even worse, BitLocker PINs are based on the machine not the user, so users will need to share PINs and remember different PINs for every device they have access to. Not only are these poor password practices, they also don’t meet compliance requirements, including PCI DSS (See Here).

Reporting and Audits

When it comes to compliance, you need 1) protection and 2) proof. In this customer’s case, BitLocker clients only reported active encryption status when the system checked into MBAM. What about historical data? This reveals serious gaps in visibility, since devices could be decrypted, and they – like most businesses – need more than just real-time reports for audit; they need proof from the time a device is provisioned to its end-of-life.

“MBAM reporting doesn’t provide the required level of assurance of encryption status. “ – Internal findings with a large enterprise

Single OS

Most obviously, BitLocker is designed for Windows, and will only ever support Microsoft hosts, so additional full disk encryption and key management products must be calculated into security costs for macOS and Linux systems. Beyond endpoints, BitLocker must be managed via scripts on servers and virtual machines – whether on-prem or in the cloud. The result is multiple siloes in encryption and gaps in compliance visibility.

“Deploying MBAM to manage BitLocker would require us to employ at least two additional independent solutions for macOS and Linux impacting our compliance visibility.” – Internal findings with a large enterprise

It Gets More Serious

As the threat landscape evolves, businesses must take note of threats posed against not just their data, but also the security they employ to protect it. BitLocker is no exception.

Pre-Boot Vulnerabilities

Microsoft says this about BitLocker, “pre-boot authentication provides excellent startup security, but it inconveniences users and increases IT management costs” (See Here). Hence, why most businesses opt for TPM-only, but Microsoft also states that “TPM-only authentication method offers the lowest level of data protection,” which “can be affected by potential weaknesses in hardware or in the early boot components.” (See Here). So what choice do businesses have? They can either inconvenience users, or leave vulnerabilities to cold boot and memory remanence attacks. In this case, our customer wasn’t willing to compromise.

“Without pre-boot authentication, compliance and security becomes solely reliant on the future state of Windows security and the specific hardware operating environment.” – Internal findings with a large enterprise

User Tampering / System Updates

When businesses deploy a security solution, they expect it to actively protect their systems and data at all times. However, BitLocker allows any user or application with elevated rights to suspend key protection or even decrypt the drive. Users can simply access Control Panel, Command Prompt or Windows PowerShell to tamper with encryption status or key protectors. In this customer’s case, there are over 14,000 users with local admin rights and frequent system updates. BitLocker on its own was just not enough.

”The fact that any user with administration rights can suspend BitLocker encryption creates a significant risk.” – – Internal findings with a large enterprise

Close the Gaps with SecureDoc

We know BitLocker works seamlessly with Windows, offering fast encryption built-in to your Windows licenses. Yet, we also know that your business doesn’t operate on a single platform, and not everyone has access to the licensing required for MBAM. Even for those who do, experience shows that enterprises are not just looking for “administration and monitoring,” they require a trusted layer of security control and compliance.

WinMagic is helping businesses get the most out of BitLocker. Our solution doesn’t just manage BitLocker, it makes it smarter, simpler and more secure. We know the main reason anyone looks to deploy encryption is compliance, not user productivity. But the best part about SecureDoc is that it’s designed so you can have both. Most notably, our user based PBA provides best practice authentication and market-leading tamper protection for BitLocker eliminates the risk of user tampering, providing enterprises the compliance assurance need.

Leave a Comment

Tagged Under:

Garry, a CISSP, has more than 30 years of experience in data communications and information security. He has contributed to the development of WinMagic's full-disk encryption solutions for desktops, laptops, and other mobile devices. When he is not saving the world of data encryption, he takes off his cape to relax and enjoy life at the cottage. Garry writes from a position of technical expertise since we first started SecureSpeak, making him the longest running blogger at WinMagic. Garry McCracken

The Site is open to the public. Therefore, consider your comments carefully and do not include anything in a comment that you would like to keep private. By uploading or otherwise making available any information to WinMagic in the form of user generated comments or otherwise, you grant Winmagic the unlimited, perpetual right to distribute, display, publish, reproduce, reuse and copy the information contained therein.

You are responsible for the content you post. You may not impersonate any other person through the blog. You may not post content that is obscene, defamatory, threatening, fraudulent, invasive of another person’s privacy rights, or is otherwise unlawful. You may not post content that infringes the intellectual property rights of any other person or entity. You may not post any content that contains any computer viruses or any other code designed to disrupt, damage, or limit the functioning of any computer software or hardware.

By submitting or posting content on the blog, you grant WinMagic and any company substantially under its control, the right to remove any content or comment that, in WinMagic’s sole judgment, does not comply with the posting guideline, the terms of this website or is otherwise objectionable. You also grant WinMagic and any company substantially under its control the right to modify, adapt, and edit any content.

Your use of this blog is subject to the terms of use of the website on which this blog is hosted blog.winmagic.com. Because WinMagic values your thoughtful opinions, we encourage you to add a comment to this discussion. However, please don’t be offended if we edit your comments for clarity or to keep out questionable matters, and we may even delete off-topic comments. Any opinions expressed within the blog are those of the author and not necessarily held by WinMagic itself. The information on this blog may be changed without notice and is not guaranteed to be complete, correct, timely, current or up-to-date. Similar to any printed materials, the information on this blog may become out-of-date. Winmagic undertakes no obligation to update any information on the blog; provided, however, that WinMagic may update the information on this blog at any time without notice in WinMagic’s sole and absolute discretion.